https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724516#M901867 <P>All port have Cisco 6921 phones with Dell Pc's behind them.</P> <P>I think I may have found the culprit.......SCCM wake up proxy.</P> <P>&nbsp;</P> <P>I was seeing mac addresses of different pc's switching to different ports even though those pc's were not physically doing it. So I started to think "mac flap" which finally lead me to this post:</P> <P><A href="https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432" target="_self">https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432</A></P> <P>So, into SCCM and disabled M$ version of wake on lan called "Wake up proxy" and since that, all appears ok.</P> <P>Early days yet but it's looking promising. Microsoft strikes again!!!</P> <P>&nbsp;</P> Fri, 12 Oct 2018 18:57:11 GMT louis0001 2018-10-12T18:57:11Z https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724183#M901864 <P>I've got a really strange issue going on with MAB &amp; dot1x with ports going into security violation every now and again claiming a new mac address is seen. Problem is, I know for sure that the clients aren't being changed on the ports so I'm not sure where the new mac address is coming from?</P> <P>&nbsp;</P> <P><STRONG>The ports are using:</STRONG></P> <P>MAB for Cisco phones<BR />Dot1x for clients behind the phones.</P> <P>&nbsp;</P> <P><STRONG>A typical error is:</STRONG></P> <DIV id="msg"> <P>%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (90b1.1c68.3e5e) is seen.AuditSessionID 0A011CE300000DDBB3DEFE36</P> <P>&nbsp;</P> <P><STRONG>Interface config:</STRONG></P> <P>interface GigabitEthernet0/8<BR />&nbsp;description PORT 916<BR />&nbsp;switchport mode access<BR />&nbsp;switchport voice vlan 250<BR />&nbsp;authentication control-direction in<BR />&nbsp;authentication event fail retry 0 action authorize vlan 100<BR />&nbsp;authentication event server dead action authorize vlan 200<BR />&nbsp;authentication event no-response action authorize vlan 100<BR />&nbsp;authentication event server alive action reinitialize<BR />&nbsp;authentication host-mode multi-domain<BR />&nbsp;authentication order mab dot1x<BR />&nbsp;authentication priority dot1x mab<BR />&nbsp;authentication port-control auto<BR />&nbsp;authentication periodic<BR />&nbsp;authentication timer reauthenticate server<BR />&nbsp;mab<BR />&nbsp;dot1x pae authenticator<BR />&nbsp;dot1x timeout tx-period 10<BR />&nbsp;spanning-tree portfast<BR />&nbsp;spanning-tree bpduguard enable</P> <P>&nbsp;</P> <P>There are no timeouts on the aaa servers and NPS is configured to use in following order:</P> <P>1. Dot1x for windows group domain computers<BR />2. MAB for Cisco phones for windows group Cisco Phones (not member of domain computers)</P> <P>We're testing with a 3560 (old but with 15.2) and a 2960s-psl (using 15.2) and we're getting the same issue so I'm convinced it's some sort of mis config rather than the switches/firmware</P> <P>I'm a little lost to what's occurring here so any pointers would be appreciated.</P> </DIV> Fri, 21 Feb 2020 16:20:48 GMT https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724183#M901864 louis0001 2020-02-21T16:20:48Z https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724224#M901865 <P>Even more strange is over the last 24 hours I've seen the new mac address seen as:</P> <P>90b1.1c64.cdb5<BR />90b1.1c64.3e5e</P> <P>90b1.1c64.935d</P> <P>and the client hasn't been changed. the first 2 are jumping between g0/8 &amp; G0/9?</P> <P>&nbsp;</P> Fri, 12 Oct 2018 09:29:22 GMT https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724224#M901865 louis0001 2018-10-12T09:29:22Z https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724230#M901866 <P>what is the device connected to this port -&nbsp;<SPAN>interface GigabitEthernet0/8 ?&nbsp;</SPAN></P> <P>&nbsp;</P> Fri, 12 Oct 2018 09:30:14 GMT https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724230#M901866 balaji.bandi 2018-10-12T09:30:14Z https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724516#M901867 <P>All port have Cisco 6921 phones with Dell Pc's behind them.</P> <P>I think I may have found the culprit.......SCCM wake up proxy.</P> <P>&nbsp;</P> <P>I was seeing mac addresses of different pc's switching to different ports even though those pc's were not physically doing it. So I started to think "mac flap" which finally lead me to this post:</P> <P><A href="https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432" target="_self">https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432</A></P> <P>So, into SCCM and disabled M$ version of wake on lan called "Wake up proxy" and since that, all appears ok.</P> <P>Early days yet but it's looking promising. Microsoft strikes again!!!</P> <P>&nbsp;</P> Fri, 12 Oct 2018 18:57:11 GMT https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724516#M901867 louis0001 2018-10-12T18:57:11Z https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724553#M901869 <P>Glad you found the issue, i was guessing some VM in the PC, like hyper-visor.</P> <P>&nbsp;</P> Fri, 12 Oct 2018 19:57:20 GMT https://community.cisco.com/t5/network-security/mab-amp-dot1x-with-nps-new-mac-address-is-seen/m-p/3724553#M901869 balaji.bandi 2018-10-12T19:57:20Z